Admin audit log

View administrator activity in the Admin console

You can use the Admin audit log to see a record of actions performed in your Google Admin console. For example, you can see when an administrator added a user or turned on a G Suite service.

For other services and activities, such as Google Drive and user activity, see the list of audit logs.

Step 1: Open your Admin audit log

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Reports.

    To see Reports, you might have to click More controls at the bottom.

  3. On the left, under Audit, click Admin.
  4. (Optional) To select the columns that you want to see or hide, next to the columns, click Manage columns Manage columns.

Step 2: Understand Admin audit log data

Data Type Description
Event name The action that was logged, such as revoking a security key or deleting a user.
Event description Details about the action, such as the name of the deleted user.
IP address IP address of the administrator. Usually reflects the administrator's physical location, but could be a proxy server or a VPN address.
Date Date and time of the event (displayed in your browser's default time zone).
Admin

Name of the admin who performed the action. If an admin performs an action that triggers a change to a user’s license, then you will see License Manager instead.

How old is the data I'm seeing?

For details on exactly when data becomes available and how long it's retained, see Data retention and lag times.

Details on audit logs

Information on how the log records some activities: 

  • Admin role assignment—If you assign a pre-built Super Admin role to a user,  the log shows the Event Description as Role _SEED_ADMIN_ROLE.
  • Groups—Logs group actions performed in the Admin console. See the Groups audit log for actions performed in Google Groups for Business.
  • Marketplace services—Logs when an administrator adds/removes an app, turns on/off an app, and authorizes/removes API client access. Some apps might not have IP address details.
  • Access groups—Logs when a service is turned on or unset for an access group. For example, if Gmail is turned on for an access group:

    Service Gmail changed to true for Solarmora organization unit in Solarmora.com (Group Email(s):

    {access-gmail-testers@solarmora.com})

The access group is listed as Group Email(s):groupname. The log shows the change was made to the top-level organization. However, the change affected only the members of the access group, not the top-level organization.

If a service is unset for an access group, the change is shown as inherited from the top-level organization. However, members of the group receive the service on/off setting of any other access groups they belong to, and then their organization.

Service Gmail changed to INHERIT_FROM_PARENT for Solarmora organization unit

in Solarmora.com (Group Email(s): {access-gmail-testers@solamora.com})

Step 3: Customize and export your audit log data

Filter the audit log data by user or activity

You can narrow your audit log to show specific events or administrators. For example, find all log events for when an admin changed a password for a particular user.

  1. Open your Admin audit log as shown above.
  2. Click Add a filter.
  3. Select and enter the criteria for your filter and if needed, click Apply.
  4. (Optional) To filter by organizational unit, at the top right, click Organization filter, select the organizational unit, and click Apply.
  5. (Optional) To specify a date range to search, click Date range and select a period from the list or enter a start and end date and time. If needed, click Apply.

Filter by organizational unit

You can filter by organizational unit to compare statistics between parent and child organizational units in a domain.

  1. Open your report as shown above.
  2. At the top, click Organization filter.
  3. Select an organizational unit and click Apply.

Filter by date

  1. Open your report as shown above.
  2. At the top, click Date range.
  3. Select a period from the list or enter a start and end date and time.
  4. If needed, click Apply.

You can only filter the current organization hierarchy, even when searching for older data. Data before December 20, 2018 will not appear in the filtered results.

Export your audit log data

You can export your audit log data to Google Sheets or download it to a CSV file.

  1. Open your audit log as shown above.
  2. (Optional) To change the data to include in your export, click Manage columns Manage columns, select or remove the columns that you want to export, and click Save.
  3. Click Download Download.
  4. Under Select columns, click Currently selected columns or All columns.
  5. Under Select format, click Google Sheets or Comma-separated values (.csv).
  6. Click Download.

You can export up to 210,000 cells. The maximum number of rows depends on the number of columns you select. Audit logs to Sheets are limited to 10,000 rows, while CSV exports can include up to 500,000 rows.

Step 4: Set up email alerts

You can get email alerts for any combination of the data that you can view in the log except the date and time range.

  1. Open your Admin audit log as shown above.
  2. Click Add a filter.
  3. Enter or select the criteria for your filter and click Create Alert.
  4. Enter a name for the alert.
  5. (Optional) To send the alert to all super administrators, under Recipients, click Turn on Turn on.
  6. Enter the email addresses of alert recipients.
  7. Click Create.

To edit custom alerts, go to Administrator email alerts.

Was this helpful?
How can we improve it?